DisputeHelp Reseller Data Processing Agreement
Last Updated: November 12, 2021
This reseller data processing agreement (“DPA”) is an agreement between you and the entity you represent or have authority to bind that entity to this agreement (“Reseller” or “you”), and DisputeHelp, LLC, a California limited liability company (“DHLLC”). This DPA forms part of any written or electronic agreement between you and DHLLC under which DHLLC Processes Personal Information on behalf of Reseller’s third-party customers for Services (each, a “Participating Seller”) (each, an “Agreement”), except with respect to any Agreement under which you and DHLLC have entered into data processing terms that address the subject matter of this DPA. Capitalized terms used here but not defined in this DPA will have the meanings given to them in the Agreement.
California Consumer Privacy Act
This CCPA Schedule applies in addition to any terms set out in the body of the DPA (and is incorporated in it) when the CCPA applies to Reseller’s use of DHLLC Services on behalf of its Participating Sellers, or to the extent Applicable Data Protection Law imposes a comparable requirement outlined under Schedule A. Capitalized terms not defined here have the meaning assigned to them under the DPA. To the extent there are any conflicts between this CCPA Schedule and the DPA, this CCPA Schedule will prevail.
Schedule B
General Data Protection Regulation
This GDPR Schedule applies in addition to any terms set out in the body of the DPA (and is incorporated in it) when the GDPR applies to Reseller’s Participating Sellers’ use of DHLLC Services, or to the extent Applicable Data Protection Law imposes a comparable requirement outlined under Schedule B. Capitalized terms not defined here have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule will prevail.
Exhibit 1
Information Required for the EEA and UK Standard Contractual Clauses
Table 1
Information to be incorporated into the EEA Standard Contractual Clauses
Annex I A. List of Parties |
|
Data EXPORTER identity and contact details |
|
Name |
Reseller Entities |
Address |
To be provided on request |
Contact person’s name, position and contact details: |
To be provided on request |
Activities relevant to the data transferred under these Clauses: |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.” |
Role (controller/processor): |
Processor |
Data IMPORTER identity and contact details |
|
Name |
DHLLC Entities |
Address |
7360 El Camino Real, Suite A Atascadero, California 93422 U.S.A. |
Contact person’s name, position and contact details: |
|
Activities relevant to the data transferred under these Clauses: |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.” |
Role (controller/processor): |
Processor |
Annex I B. Description of Transfer |
|
Categories of data subjects whose personal data is transferred |
As set out in the table in Exhibit 2 under “Categories of Data Subjects.” |
Categories of personal data transferred |
As set out in the table in Exhibit 2 under “Types of Personal Information.” |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. |
Not Applicable |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
Continuous |
Nature of the processing |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.” |
Purpose(s) of the data transfer and further processing |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.” |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
Personal data will be retained under DHLLC’s retention policies, for only as long as is required to meet DHLLC’s legal, regulatory, and operational requirements and as necessary to perform services. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.” |
Annex I C. Competent Supervisory Authority |
|
Competent supervisory authority/ies |
To be provided by the data exporter on request. |
Annex II Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of The Data |
|
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. |
As set out in Table 2 of this Exhibit 1 under “Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached).” |
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter |
In respect of Transaction Services: initiatives, products, processes, and supporting technology are assessed from a data privacy perspective, allowing DHLLC to embed privacy controls to mitigate risks at early stages (privacy by design). DHLLC has a robust privacy risk assessment framework, embedding this process in our change vehicles across the business, to ensure that both new and changed personal data processing activities are reviewed. Where Customer requires specific assistance, it may submit those requests for assistance to privacy@chargebackhelp.com . |
Annex III List of Sub-Processors The controller has authorised the use of the following sub-processors: |
|
As set out in Exhibit 3 of this DPA. |
Table 2
Information to be incorporated in the UK C2P SCCs
Information to be incorporated into Appendix 1 of the UK C2P SCCs |
|
Category of Information Required by Appendix 1 of the UK C2P SCCs |
Information agreed by the parties |
Data Exporter |
Reseller on behalf of Participating Seller Entities |
Data Importer |
DHLLC Entities |
Data Subjects |
As set out in the table in Exhibit 2 under “Categories of Data Subjects.” |
Categories of Data |
As set out in the table in Exhibit 2 under “Types of Personal Information.” |
Special Categories of Data |
Not Applicable |
Processing Operations |
As set out in the table in Exhibit 2 under “Nature and Purpose of the Processing.” |
Information to be incorporated into Appendix 2 of the C2P Standard Contractual Clauses |
|
Category of Information Required by Appendix 1 of the C2P Standard Contractual Clauses |
Information agreed by the parties |
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached) |
DHLLC is certified as compliant with all standards established by the Payment Card Industry Data Security Standards (together with any successor organization to it, “PCI DSS”) that are applicable to DHLLC and its affiliates (those standards, “PCI Standards”). As evidence of compliance, DHLLC will provide its current Attestation of Compliance signed by a Payment Card Industry Qualified Security Assessor on Seller’s written request. DHLLC maintains and enforces commercially reasonable information security and physical security policies, procedures, and standards, that are designed (i) to insure the security and confidentiality of Seller’s records and information, (ii) to protect against any anticipated threats or hazards to the security or integrity of those records, and (iii) to protect against unauthorized access to or use of those records or information that could result in substantial harm (“DHLLC Information Security Program”). At a minimum, the DHLLC Information Security Program is designed to align with the standards set out in ISO 27002 published by the International Organization for Standardization, as well as any revisions, versions, or other standards or objectives that supersede or replace the foregoing. DHLLC engages its independent certified public accountants to conduct a review of DHLLC’s operations and procedures at DHLLC’s cost. The accountants conduct the review under the American Institute of Certified Public Accounts Statement on Standards for Attestation Engagements No. 18 SOC I Type II (“SSAE 18”) and record their findings and recommendations in a report to DHLLC. On request, and subject to standard confidentiality obligations, DHLLC will provide its most recent SSAE 18, and, in DHLLC’s reasonable discretion, additional information reasonably requested to address questions or concerns regarding the SSAE 18’s findings. |
Exhibit 2
Details of Processing Seller Personal Information
Service |
Nature and purpose of the processing |
Types of personal information |
Categories of data subjects to whom the personal information relates to |
Order Insight |
Issuers access detailed transaction information from Participating Sellers via a global data-sharing network to prevent disputes at first Consumer inquiry. Consumers access and view detailed transaction information from Participating Sellers via Issuers in the Issuer mobile app or online banking website for the Consumer, to prevent disputes at first Consumer inquiry. DHLLC transfers (according to the instructions of the Controller) Seller Personal Information to issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers providing the Order Insight service used by Participating Sellers. |
If the Participating Seller opts to use the Order Insight service, DHLLC will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Order Insight request with the issuer. Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Participating Seller’s employees, agents, advisors, or representatives; or Consumers. |
CDRN |
CDRN allows Participating Sellers to actively process non-fraud and confirmed fraud pre-dispute cases with a refund or cancellation avoiding a Dispute. |
If the Participating Seller opts to use CDRN, DHLLC will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Participating Seller’s decisioning as it relates to a pre-dispute case to Issuer. Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Participating Seller’s employees, agents, advisors, or representatives; or Consumers. |
RDR (Rapid Dispute Resolution) |
RDR allows Participating Sellers to process non-fraud and confirmed fraud pre-dispute with an acquirer-initiated funds reversal based on the rules set by Participating Sellers. |
If the Participating Seller opts to use RDR, DHLLC will use required transaction information, including, without limitation, transaction information and order detail information necessary for Processing the Participating Sellers automatic rules as it relates to a Dispute to Issuer. Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Participating Seller’s employees, agents, advisors, or representatives; or Consumers. |
Fraud and Dispute Services |
Fraud and Dispute Services provides a Participating Seller with direct delivery of fraud and dispute notifications to reduce payment risk. |
If the Participating Seller opts to use the Fraud and Dispute service, DHLLC will use required transaction information, to provide real-time, transaction level notification, to enhance and inform fraud detection and modeling to the Participating Seller. Participating Sellers can also stop order fulfillment/shipment when possible. Further detail is included in the applicable Services Documentation provided at the time of implementation of the Service. |
Participating Seller’s employees, agents, advisors, or representatives; or Consumers. |
Ethoca Alerts |
DHLLC performs monitoring, reporting, data analysis, and data aggregation for the purpose of providing Alerts. |
If the Participating Seller opts to use Ethoca Alerts, the type of Personal Data being processed includes transaction-related information, such as card or account number, transaction amount, transaction date and time, and merchant identifier and the type of Personal Data listed in the agreement. |
Participating Seller’s employees, agents, advisors, or representatives; or Consumers. |
Consumer Clarity Solution |
The facilitation of the transfer of Consumer Clarity Data by Ethoca to Participating Issuers / Cardholders for purposes of answering Cardholder queries in respect of Identified Transactions or the investigation of Identified Transactions to confirm whether they are in fact fraudulent or to resolve disputes (and any other purposes as set out in the agreement or as agreed in writing between the parties from time to time). |
If the Participating Seller opts to use Consumer Clarity Solution, the type of Personal Data being processed includes, without limitation, the following pieces of information in respect of Identified Transactions (which alone, or in combination, may constitute Personal Data):
|
Participating Seller’s employees, agents, advisors, or representatives; or Consumers. |
Exhibit 3
List of Sub-Sub Processors
Company |
Functions Performed |
Location |
Applicable Service |
Verifi, Inc. |
Service Provider |
U.S.A. |
Order Insight CDRN RDR Fraud and Dispute Services |
Ethoca Limited |
Service Provider |
Canada |
Ethoca Alerts Consumer Clarity Solution |
Copyright 2024 DisputeHelp. All Rights Reserved | Careers | Privacy Policy | California Residents Privacy Statement |
Seller Data Processing Policy | Reseller Data Processing Policy